Replace devise with auth via gitlab api

14 files changed, 174 insertions, 257 deletions

diff --git a/Gemfile b/Gemfile
index ffcf8c7..f0aab08 100644
--- a/Gemfile
+++ b/Gemfile
@@ -17,9 +17,6 @@ gem 'pg',     group: :postgres
 # Settings
 gem 'settingslogic'
 
-# Auth
-gem 'devise'
-
 # Web server
 gem "puma", "~> 2.0.0.b7"
 
@@ -43,6 +40,9 @@ gem 'kaminari'
 # State machine
 gem 'state_machine'
 
+# For API calls
+gem 'httparty', '0.11.0'
+
 # API
 gem 'grape'
 gem 'grape-entity'
diff --git a/Gemfile.lock b/Gemfile.lock
index 162b116..6ba5fe1 100644
--- a/Gemfile.lock
+++ b/Gemfile.lock
@@ -32,7 +32,6 @@ GEM
       rake
     arel (3.0.2)
     backports (2.6.7)
-    bcrypt-ruby (3.0.1)
     bootstrap-sass (2.3.1.0)
       sass (~> 3.2)
     builder (3.0.4)
@@ -66,11 +65,6 @@ GEM
       simplecov (>= 0.7)
       thor
     descendants_tracker (0.0.1)
-    devise (2.2.3)
-      bcrypt-ruby (~> 3.0)
-      orm_adapter (~> 0.1)
-      railties (~> 3.1)
-      warden (~> 1.2.1)
     diff-lcs (1.2.2)
     erubis (2.7.0)
     execjs (1.4.0)
@@ -116,6 +110,9 @@ GEM
       railties (>= 3.1, < 4.1)
     hashie (2.0.5)
     hike (1.2.2)
+    httparty (0.11.0)
+      multi_json (~> 1.0)
+      multi_xml (>= 0.5.2)
     i18n (0.6.1)
     journey (1.0.4)
     jquery-rails (2.1.3)
@@ -137,7 +134,6 @@ GEM
     multi_xml (0.5.3)
     mysql2 (0.3.11)
     nokogiri (1.5.9)
-    orm_adapter (0.4.0)
     pg (0.14.1)
     polyglot (0.3.3)
     pry (0.9.10)
@@ -255,8 +251,6 @@ GEM
     virtus (0.5.4)
       backports (~> 2.6.1)
       descendants_tracker (~> 0.0.1)
-    warden (1.2.1)
-      rack (>= 1.0)
     websocket (1.0.7)
     whenever (0.8.2)
       activesupport (>= 2.3.4)
@@ -273,7 +267,6 @@ DEPENDENCIES
   capybara
   coffee-rails (~> 3.2.1)
   coveralls
-  devise
   factory_girl_rails
   ffaker
   font-awesome-sass-rails (~> 3.0.0)
@@ -284,6 +277,7 @@ DEPENDENCIES
   growl
   guard-rspec
   haml-rails
+  httparty (= 0.11.0)
   jquery-rails
   kaminari
   mysql2
diff --git a/app/controllers/application_controller.rb b/app/controllers/application_controller.rb
index a4e83aa..6c75b20 100644
--- a/app/controllers/application_controller.rb
+++ b/app/controllers/application_controller.rb
@@ -1,9 +1,25 @@
 class ApplicationController < ActionController::Base
   protect_from_forgery
 
+  helper_method :current_user
+
+  private
+
   def authenticate_token!
     unless project.valid_token?(params[:token])
       return head(403)
     end
   end
+
+  def current_user
+    @current_user ||= session[:current_user]
+  end
+
+  def sign_in(user)
+    session[:current_user] = OpenStruct.new(user)
+  end
+
+  def sign_out
+    @current_user = session[:current_user] = nil
+  end
 end
diff --git a/app/controllers/user_sessions_controller.rb b/app/controllers/user_sessions_controller.rb
new file mode 100644
index 0000000..d99e372
--- /dev/null
+++ b/app/controllers/user_sessions_controller.rb
@@ -0,0 +1,35 @@
+class UserSessionsController < ApplicationController
+  def show
+    @user_session = UserSession.find(params[:id])
+
+    respond_to do |format|
+      format.html # show.html.erb
+      format.json { render json: @user_session }
+    end
+  end
+
+  def new
+    @user_session = UserSession.new
+  end
+
+  def create
+    @user_session = UserSession.new
+    user = @user_session.authenticate(params[:user_session])
+
+    if user && sign_in(user)
+      redirect_to root_path
+    else
+      render :new
+    end
+  end
+
+  def destroy
+    @user_session = UserSession.find(params[:id])
+    @user_session.destroy
+
+    respond_to do |format|
+      format.html { redirect_to user_sessions_url }
+      format.json { head :no_content }
+    end
+  end
+end
diff --git a/app/helpers/user_sessions_helper.rb b/app/helpers/user_sessions_helper.rb
new file mode 100644
index 0000000..2018402
--- /dev/null
+++ b/app/helpers/user_sessions_helper.rb
@@ -0,0 +1,2 @@
+module UserSessionsHelper
+end
diff --git a/app/models/user_session.rb b/app/models/user_session.rb
new file mode 100644
index 0000000..979c6f8
--- /dev/null
+++ b/app/models/user_session.rb
@@ -0,0 +1,25 @@
+class UserSession
+  include ActiveModel::Conversion
+  include StaticModel
+  include HTTParty
+  extend ActiveModel::Naming
+
+  attr_accessor :email, :password, :url
+
+  def authenticate auth_opts
+    url = auth_opts.delete(:url)
+
+    opts = {
+      body: auth_opts.to_json,
+      headers: {"Content-Type" => "application/json"},
+    }
+
+    response = self.class.post(url + 'api/v3/session.json', opts)
+
+    if response.code == 201
+      response
+    else
+      nil
+    end
+  end
+end
diff --git a/app/views/layouts/application.html.haml b/app/views/layouts/application.html.haml
index bfd4154..41e88b8 100644
--- a/app/views/layouts/application.html.haml
+++ b/app/views/layouts/application.html.haml
@@ -25,17 +25,17 @@
           %ul.nav.pull-right
             - if current_user
               %li
-                = link_to edit_user_path(current_user) do
+                = link_to user_path(current_user.username) do
                   .profile-holder
                     = image_tag gravatar_icon(current_user.email, 24)
                     %span= current_user.email
               %li
-                = link_to destroy_user_session_path, class: "logout", method: :delete do
+                = link_to user_sessions_path, class: "logout", method: :delete do
                   %i.icon-signout
                   Logout
             - else
               %li
-                = link_to 'Login', new_user_session_path
+                = link_to 'Login', new_user_sessions_path
     .container-fluid
       - if alert
         .alert= alert
diff --git a/app/views/user_sessions/_form.html.haml b/app/views/user_sessions/_form.html.haml
new file mode 100644
index 0000000..105cc6f
--- /dev/null
+++ b/app/views/user_sessions/_form.html.haml
@@ -0,0 +1,12 @@
+= form_for @user_session do |f|
+  .field
+    = f.label :email
+    = f.text_field :email
+  .field
+    = f.label :password
+    = f.password_field :password
+  .field
+    = f.label :url
+    = f.text_field :url
+  .actions
+    = f.submit 'Save'
diff --git a/app/views/user_sessions/edit.html.haml b/app/views/user_sessions/edit.html.haml
new file mode 100644
index 0000000..5a0b886
--- /dev/null
+++ b/app/views/user_sessions/edit.html.haml
@@ -0,0 +1,7 @@
+%h1 Editing user_session
+
+= render 'form'
+
+= link_to 'Show', @user_session
+\|
+= link_to 'Back', user_sessions_path
diff --git a/app/views/user_sessions/new.html.haml b/app/views/user_sessions/new.html.haml
new file mode 100644
index 0000000..17a2685
--- /dev/null
+++ b/app/views/user_sessions/new.html.haml
@@ -0,0 +1,3 @@
+%h1 New user_session
+
+= render 'form'
diff --git a/app/views/user_sessions/show.html.haml b/app/views/user_sessions/show.html.haml
new file mode 100644
index 0000000..3886b87
--- /dev/null
+++ b/app/views/user_sessions/show.html.haml
@@ -0,0 +1,15 @@
+%p#notice= notice
+
+%p
+  %b Email:
+  = @user_session.email
+%p
+  %b Password:
+  = @user_session.password
+%p
+  %b Url:
+  = @user_session.url
+
+= link_to 'Edit', edit_user_session_path(@user_session)
+\|
+= link_to 'Back', user_sessions_path
diff --git a/config/initializers/devise.rb b/config/initializers/devise.rb
deleted file mode 100644
index 91d5426..0000000
--- a/config/initializers/devise.rb
+++ /dev/null
@@ -1,233 +0,0 @@
-# Use this hook to configure devise mailer, warden hooks and so forth.
-# Many of these configuration options can be set straight in your model.
-Devise.setup do |config|
-  # ==> Mailer Configuration
-  # Configure the e-mail address which will be shown in Devise::Mailer,
-  # note that it will be overwritten if you use your own mailer class with default "from" parameter.
-  config.mailer_sender = "please-change-me-at-config-initializers-devise@example.com"
-
-  # Configure the class responsible to send e-mails.
-  # config.mailer = "Devise::Mailer"
-
-  # ==> ORM configuration
-  # Load and configure the ORM. Supports :active_record (default) and
-  # :mongoid (bson_ext recommended) by default. Other ORMs may be
-  # available as additional gems.
-  require 'devise/orm/active_record'
-
-  # ==> Configuration for any authentication mechanism
-  # Configure which keys are used when authenticating a user. The default is
-  # just :email. You can configure it to use [:username, :subdomain], so for
-  # authenticating a user, both parameters are required. Remember that those
-  # parameters are used only when authenticating and not when retrieving from
-  # session. If you need permissions, you should implement that in a before filter.
-  # You can also supply a hash where the value is a boolean determining whether
-  # or not authentication should be aborted when the value is not present.
-  # config.authentication_keys = [ :email ]
-
-  # Configure parameters from the request object used for authentication. Each entry
-  # given should be a request method and it will automatically be passed to the
-  # find_for_authentication method and considered in your model lookup. For instance,
-  # if you set :request_keys to [:subdomain], :subdomain will be used on authentication.
-  # The same considerations mentioned for authentication_keys also apply to request_keys.
-  # config.request_keys = []
-
-  # Configure which authentication keys should be case-insensitive.
-  # These keys will be downcased upon creating or modifying a user and when used
-  # to authenticate or find a user. Default is :email.
-  config.case_insensitive_keys = [ :email ]
-
-  # Configure which authentication keys should have whitespace stripped.
-  # These keys will have whitespace before and after removed upon creating or
-  # modifying a user and when used to authenticate or find a user. Default is :email.
-  config.strip_whitespace_keys = [ :email ]
-
-  # Tell if authentication through request.params is enabled. True by default.
-  # It can be set to an array that will enable params authentication only for the
-  # given strategies, for example, `config.params_authenticatable = [:database]` will
-  # enable it only for database (email + password) authentication.
-  # config.params_authenticatable = true
-
-  # Tell if authentication through HTTP Basic Auth is enabled. False by default.
-  # It can be set to an array that will enable http authentication only for the
-  # given strategies, for example, `config.http_authenticatable = [:token]` will
-  # enable it only for token authentication.
-  # config.http_authenticatable = false
-
-  # If http headers should be returned for AJAX requests. True by default.
-  # config.http_authenticatable_on_xhr = true
-
-  # The realm used in Http Basic Authentication. "Application" by default.
-  # config.http_authentication_realm = "Application"
-
-  # It will change confirmation, password recovery and other workflows
-  # to behave the same regardless if the e-mail provided was right or wrong.
-  # Does not affect registerable.
-  # config.paranoid = true
-
-  # By default Devise will store the user in session. You can skip storage for
-  # :http_auth and :token_auth by adding those symbols to the array below.
-  # Notice that if you are skipping storage for all authentication paths, you
-  # may want to disable generating routes to Devise's sessions controller by
-  # passing :skip => :sessions to `devise_for` in your config/routes.rb
-  config.skip_session_storage = [:http_auth]
-
-  # ==> Configuration for :database_authenticatable
-  # For bcrypt, this is the cost for hashing the password and defaults to 10. If
-  # using other encryptors, it sets how many times you want the password re-encrypted.
-  #
-  # Limiting the stretches to just one in testing will increase the performance of
-  # your test suite dramatically. However, it is STRONGLY RECOMMENDED to not use
-  # a value less than 10 in other environments.
-  config.stretches = Rails.env.test? ? 1 : 10
-
-  # Setup a pepper to generate the encrypted password.
-  # config.pepper = "49a4a37eb4b21709177e20a794c15be7810db404aef3c5f6d14a2e4d0ccece7505b94784c5c395db3ed9fb893599da1d4a312418e1ea4b88a3f57eb74d6f5909"
-
-  # ==> Configuration for :confirmable
-  # A period that the user is allowed to access the website even without
-  # confirming his account. For instance, if set to 2.days, the user will be
-  # able to access the website for two days without confirming his account,
-  # access will be blocked just in the third day. Default is 0.days, meaning
-  # the user cannot access the website without confirming his account.
-  # config.allow_unconfirmed_access_for = 2.days
-
-  # If true, requires any email changes to be confirmed (exactly the same way as
-  # initial account confirmation) to be applied. Requires additional unconfirmed_email
-  # db field (see migrations). Until confirmed new email is stored in
-  # unconfirmed email column, and copied to email column on successful confirmation.
-  config.reconfirmable = true
-
-  # Defines which key will be used when confirming an account
-  # config.confirmation_keys = [ :email ]
-
-  # ==> Configuration for :rememberable
-  # The time the user will be remembered without asking for credentials again.
-  # config.remember_for = 2.weeks
-
-  # If true, extends the user's remember period when remembered via cookie.
-  # config.extend_remember_period = false
-
-  # Options to be passed to the created cookie. For instance, you can set
-  # :secure => true in order to force SSL only cookies.
-  # config.rememberable_options = {}
-
-  # ==> Configuration for :validatable
-  # Range for password length. Default is 6..128.
-  # config.password_length = 6..128
-
-  # Email regex used to validate email formats. It simply asserts that
-  # an one (and only one) @ exists in the given string. This is mainly
-  # to give user feedback and not to assert the e-mail validity.
-  # config.email_regexp = /\A[^@]+@[^@]+\z/
-
-  # ==> Configuration for :timeoutable
-  # The time you want to timeout the user session without activity. After this
-  # time the user will be asked for credentials again. Default is 30 minutes.
-  # config.timeout_in = 30.minutes
-
-  # If true, expires auth token on session timeout.
-  # config.expire_auth_token_on_timeout = false
-
-  # ==> Configuration for :lockable
-  # Defines which strategy will be used to lock an account.
-  # :failed_attempts = Locks an account after a number of failed attempts to sign in.
-  # :none            = No lock strategy. You should handle locking by yourself.
-  # config.lock_strategy = :failed_attempts
-
-  # Defines which key will be used when locking and unlocking an account
-  # config.unlock_keys = [ :email ]
-
-  # Defines which strategy will be used to unlock an account.
-  # :email = Sends an unlock link to the user email
-  # :time  = Re-enables login after a certain amount of time (see :unlock_in below)
-  # :both  = Enables both strategies
-  # :none  = No unlock strategy. You should handle unlocking by yourself.
-  # config.unlock_strategy = :both
-
-  # Number of authentication tries before locking an account if lock_strategy
-  # is failed attempts.
-  # config.maximum_attempts = 20
-
-  # Time interval to unlock the account if :time is enabled as unlock_strategy.
-  # config.unlock_in = 1.hour
-
-  # ==> Configuration for :recoverable
-  #
-  # Defines which key will be used when recovering the password for an account
-  # config.reset_password_keys = [ :email ]
-
-  # Time interval you can reset your password with a reset password key.
-  # Don't put a too small interval or your users won't have the time to
-  # change their passwords.
-  config.reset_password_within = 6.hours
-
-  # ==> Configuration for :encryptable
-  # Allow you to use another encryption algorithm besides bcrypt (default). You can use
-  # :sha1, :sha512 or encryptors from others authentication tools as :clearance_sha1,
-  # :authlogic_sha512 (then you should set stretches above to 20 for default behavior)
-  # and :restful_authentication_sha1 (then you should set stretches to 10, and copy
-  # REST_AUTH_SITE_KEY to pepper)
-  # config.encryptor = :sha512
-
-  # ==> Configuration for :token_authenticatable
-  # Defines name of the authentication token params key
-  # config.token_authentication_key = :auth_token
-
-  # ==> Scopes configuration
-  # Turn scoped views on. Before rendering "sessions/new", it will first check for
-  # "users/sessions/new". It's turned off by default because it's slower if you
-  # are using only default views.
-  # config.scoped_views = false
-
-  # Configure the default scope given to Warden. By default it's the first
-  # devise role declared in your routes (usually :user).
-  # config.default_scope = :user
-
-  # Set this configuration to false if you want /users/sign_out to sign out
-  # only the current scope. By default, Devise signs out all scopes.
-  # config.sign_out_all_scopes = true
-
-  # ==> Navigation configuration
-  # Lists the formats that should be treated as navigational. Formats like
-  # :html, should redirect to the sign in page when the user does not have
-  # access, but formats like :xml or :json, should return 401.
-  #
-  # If you have any extra navigational formats, like :iphone or :mobile, you
-  # should add them to the navigational formats lists.
-  #
-  # The "*/*" below is required to match Internet Explorer requests.
-  # config.navigational_formats = ["*/*", :html]
-
-  # The default HTTP method used to sign out a resource. Default is :delete.
-  config.sign_out_via = :delete
-
-  # ==> OmniAuth
-  # Add a new OmniAuth provider. Check the wiki for more information on setting
-  # up on your models and hooks.
-  # config.omniauth :github, 'APP_ID', 'APP_SECRET', :scope => 'user,public_repo'
-
-  # ==> Warden configuration
-  # If you want to use other strategies, that are not supported by Devise, or
-  # change the failure app, you can configure them inside the config.warden block.
-  #
-  # config.warden do |manager|
-  #   manager.intercept_401 = false
-  #   manager.default_strategies(:scope => :user).unshift :some_external_strategy
-  # end
-
-  # ==> Mountable engine configurations
-  # When using Devise inside an engine, let's call it `MyEngine`, and this engine
-  # is mountable, there are some extra configurations to be taken into account.
-  # The following options are available, assuming the engine is mounted as:
-  #
-  #     mount MyEngine, at: "/my_engine"
-  #
-  # The router that invoked `devise_for`, in the example above, would be:
-  # config.router_name = :my_engine
-  #
-  # When using omniauth, Devise cannot automatically set Omniauth path,
-  # so you need to do it manually. For the users scope, it would be:
-  # config.omniauth_path_prefix = "/my_engine/users/auth"
-  config.password_length = 6..128
-end
diff --git a/config/routes.rb b/config/routes.rb
index d781ba5..1836f87 100644
--- a/config/routes.rb
+++ b/config/routes.rb
@@ -1,12 +1,6 @@
 require 'sidekiq/web'
 
 GitlabCi::Application.routes.draw do
-  # Optionally, enable Resque here
-  constraint = lambda { |request| request.env["warden"].authenticate? and request.env['warden'].user.admin? }
-  constraints constraint do
-    mount Sidekiq::Web, at: "/ext/sidekiq", as: :ext_resque
-  end
-
   # API
   API::API.logger Rails.logger
   mount API::API => '/api'
@@ -27,9 +21,9 @@ GitlabCi::Application.routes.draw do
     end
   end
 
-  devise_for :users
-
   resources :users
+  resource :user_sessions
+
   resources :runners, only: [:index, :destroy]
 
   resource :resque, only: 'show'
diff --git a/lib/static_model.rb b/lib/static_model.rb
new file mode 100644
index 0000000..185921d
--- /dev/null
+++ b/lib/static_model.rb
@@ -0,0 +1,47 @@
+# Provides an ActiveRecord-like interface to a model whose data is not persisted to a database.
+module StaticModel
+  extend ActiveSupport::Concern
+
+  module ClassMethods
+    # Used by ActiveRecord's polymorphic association to set object_id
+    def primary_key
+      'id'
+    end
+
+    # Used by ActiveRecord's polymorphic association to set object_type
+    def base_class
+      self
+    end
+  end
+
+  # Used by AR for fetching attributes
+  #
+  # Pass it along if we respond to it.
+  def [](key)
+    send(key) if respond_to?(key)
+  end
+
+  def to_param
+    id
+  end
+
+  def new_record?
+    false
+  end
+
+  def persisted?
+    false
+  end
+
+  def destroyed?
+    false
+  end
+
+  def ==(other)
+    if other.is_a? ::StaticModel
+      id == other.id
+    else
+      super
+    end
+  end
+end